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ABSTRACT 

Fault  tree  analysis,  which  has  proved  to  be  a 
useful  analytical  tool  for  the  reliability  and  safety 
analysis  of  complex  systems,  is  applied  to  the  Naval 
Postgraduate  School  Mini-Satellite  (ORION).  A  general 
background  to  reliability  analysis,  fault  tree 
analysis,  and  fault  tree  construction  is  given.  Impact 
of  a  phased  mission  is  included  in  the  analysis.  A 
fault  tree  for  ORION  is  constructed  and  used  to 
identify  minimal  cut  sets  and  minimal  path  sets.  The 
cuts  sets  and  path  sets  are,  in  turn,  used  to  calculate 
an  estimate  of  ORION'S  reliability  to  perform  a  three 
year  mission.  The  reliability  model  was  constructed  in 
a  Lotus  1-2-3  spreadsheet  to  enable  the  designers  to  do 
"what-if"  analysis. 
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I.  INTRODUCTION 

A.  GENERAL  BACKGROUND  AND  PURPOSE 

The  Naval  Postgraduate  School  Mini-Satellite 
(subsequently  referred  to  as  ORION)  is  an  actual 
engineering  effort  by  the  students  and  faculty  of  the 
Naval  Postgraduate  School  to  produce  a  low  cost,  multi- 
purpose satellite.  The  focus  of  this  thesis,  as  a 
portion  of  that  effort,  is  to  derive  a  fault  tree  for 
ORION  and  assist  in  its  design  by  identifying  weak 
links  in  its  system  reliability.  The  format  of  the 
thesis  is  intended  to  make  the  results  of  this  analysis 
readily  accessible  to  colleagues  to  facilitate  the 
design  and  construction  of  ORION. 

B.  SATELLITE  OVERVIEW 

ORION  is  an  alternative  concept  for  low  cost 
military  spaceflight.  It  is  designed  to  be  an 
inexpensive,  reliable  satellite  bus  that  can  be  mission 
specific,  yet  maintain  a  flexible  architecture.  The 
mission  payloads  can  vary  from  50  lbs.  to  130  lbs.  and 
are  designed  for  a  mission  life  of  three  years.  Due  to 
its  simplistic  design,  ORION  includes  very  little 
redundancy . 

1 .   Objectives  of  ORION 

ORION   is   designed   with   eight   objectives  in 
mind.  They  are: 

a.  to  satisfy   many  small   mission  needs   with  a  low 
cost,  reconf igurable  vehicle. 

b.  to  provide   an  affordable,   boosted-free  flyer  to 
complement  SPARTAN  and  SPAS1. 


1SPARTAN    and    SPAS   are   existing   experimental 
orms  used  by  the  Shuttle.  The 
long  as  the  Shuttle  is  on  station. 


platforms  used  by  the  Shuttle.  They   are  on   station  as 

Ltt: 
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c.  to  achieve   circular  orbits  from  135  nm  (nautical 
miles)  to  800  nm  with  propellant  reserve. 

d.  to  achieve  elliptic   orbits   to   2200   nm   with  a 
perigee  of  135  nm. 

e.  to  have   a  longer   life  at   Shuttle  altitude  than 
SPARTAN . 

f.  to   provide   an   affordable   platform   for   space 
science,  space  technology,  and  military  missions. 

g.  to  provide  a  cost  effective  bus  for  constellation 
prol if eration . 

h.   to  be  dependable  and  affordable. 

2 .  ORION  Main  Subsystems 

For  purposes  of  management  and  design,  ORION 
can  be  separated  into  seven  subsystems.  The  subsystems 
are  : 

a.  the  propulsion  subsystem. 

b.  the  electrical  power  subsystem. 

c.  the  data  storage  subsystem. 

d.  the  telemetry  subsystem. 

e.  the  thermal  control  subsystem. 

f .  the  attitude  control  subsystem. 

g.  the  computer  subsystem. 

The  reliability  analysis  focuses  on  how  the 
subsystems  interrelate.  As  an  example,  all  the 
subsystems  require  the  electrical  power  subsystem  to 
work.  These  dependency  relationships  are  developed  and 
displayed  in  the  fault  tree. 

3 .  Possible  Military  Applications 

Due  to  ORION's  objectives  and  simplistic 
design,  there  are  several  apparent  military 
applications.  Some  of  those  applications  include: 

a.  proliferated  platforms  for  communication. 

b.  ultraviolet  sensor  platforms. 


c.  high  energy  particle  detectors. 

d .  targeting  laser  or  KE  (kinetic  energy) 
weapons,  reentry  vehicle  simulator,  or  kill 
assessment . 

e.  low  cost  imaging  platforms. 

C.  ORGANIZATION 

This  chapter  provides  some  background  to  ORION  and 
its  possible  applications.  Chapter  II  gives  a  short 
background  of  reliability  analysis.  Chapter  III  follows 
with  a  description  of  fault  tree  analysis.  Chapter  IV 
contains  the  applications  of  a  fault  tree  analysis  to 
ORION.  The  final  chapter,  Chapter  V,  states  the 
conclusions,  recommendations,  and  suggestions  for 
further  research. 

D .  SUMMARY 

The  primary  benefit  of  this  analysis  has  been  to 
aid  in  the  design  of  ORION.  This  was  accomplished  by 
identifying  82  minimal  cut  sets.  Of  these  cut  sets  22 
are  single-element  sets,  29  are  double-element  cut 
sets,  27  are  three-element  cut  sets,  2  are  five-element 
cut  sets,  1  is  a  six-element  cut  set  and  1  is  an 
eleven-element  cut  set. 

The  dual  tree  reveals  over  33  billion  distinct 
paths.  Using  modular  decomposition  this  number  is 
reduced  to  three  distinct  paths.  The  path  sets  were 
used  to  determine  the  structural  importance  of  each 
component . 

The  structural  importance  analysis  determined  seven 
different  levels  of  significance.  Twenty  components  are 
structurally  the  most  significant.  A  listing  of  them  is 
given  in  Appendix  C.  The  remaining  levels  and  their 
associated  components  are  listed  in  Chapter  IV. 
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The  reliability  importance  of  components  cannot  be 
determined  since  the  design  is  not  completely 
established.  A  Lotus  spreadsheet  was  developed  to  allow 
the  designers  to  do  a  "what-if"  analysis  with  component 
reliabilities  as  the  subsystems  are  developed. 
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II.  BACKGROUND  TO  RELIABILITY  ANALYSIS 

A  salesman  called  on  Steinway  &  Sons  to  show  them  a 
new  piano-key  pin.  "My  company  believes  this  aluminum 
pin  is  greatly  superior  to  the  pin  you  have  been 
using , "  he  said . 

Mr.  Steinway  deliberated  for  some  moments.  "Well, 
young  man,"  he  said  at  last,  "we  are  an  old  firm,  slow 
and  cautious  about  making  changes.  But  we  will  install 
your  pins  in  one  of  our  pianos  and  give  them  a  trial." 

The  salesman  was  delighted.  "That's  good  enough  for 
me,"  he  said.  "How  long  a  trial  will  you  need?" 

"Oh,"  said  Mr.  Steinway  thoughtfully,  "I'd  say 
about  50  years."  [Ref.  1] 

A .   GENERAL 

Performing  the  mission  is  undoubtedly  the  best  test 
of  reliability.  However,  today's  decision  makers  and 
analysts  rarely  have  Mr.  Steinway 's  luxury  of  time.  Not 
only  is  time  a  scarce  resource,  but  there  are  many 
cases  when  neither  the  system's  working  or  living 
environment  nor  the  money  to  do  extensive  or  realistic 
reliability  tests  is  available.  With  such  constraints, 
other  methods  must  be  employed  to  estimate 
reliabilities  or  limits  on  reliabilities.  Reliability, 
in  the  sense  used  here  and  throughout  the  thesis,  is 
the  probability  of  a  device  performing  its  function 
adequately  for  a  specified  length  of  time  and  operating 
conditions.  Therefore,  the  purpose  of  reliability  or 
system  analysis  is  to  seek  out  those  reliabilities  or 
limits  on  reliabilities.  Within  that  pursuit,  there  are 
two   important   aspects   to   a   system  analysis:  (1)  an 
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inductive  analysis  stage  and   (2)  a   deductive  analysis 
stage . 

During  the  inductive  analysis  stage,  available 
information  on  the  system  is  gathered  and  organized. 
The  system  is  then  defined,  its  functional  purpose  de- 
scribed, and  its  critical  components  determined.  At 
this  stage,  the  question  is  posed  "What  can  happen  to 
the  system  as  a  result  of  component  failure  or  human 
error?"  Possible  system  failure  modes  are  then  hypo- 
thesized. A  failure  modes  and  effects  analysis  is 
conducted  at  the  component  level.  Specifically,  a  list 
of  all  envisioned  mechanical  and  electrical  failure 
modes  is  generated.  This,  in  turn,  leads  to  a  critical 
components  list  including  assessed  failure  rates. 
Additionally,  it  is  well  known  that  system  failures 
often  occur  at  subsystem  interfaces.  The  interfaces, 
therefore,  become  an  important  part  of  the  analysis 
along  with  the  components. 

The  deductive  analysis  of  a  system  or  reliability 
analysis  answers  the  question  "How  can  a  system  fail 
(or  succeed)  or  be  unavailable?"  A  logic  tree  (or  fault 
tree)  is  often  the  best  device  for  deducing  how  a  major 
system  failure  event  could  occur.  However,  its 
construction  depends  on  a  thorough  understanding  of  the 
system  and  the  results  of  the  system  inductive 
analysis.  A  block  diagram  or  a  network  graph  is  a 
useful  device  for  representing  a  successfully 
functioning  system.  Since  the  network  graph  is  close  to 
a  system  functional  representation,  it  cannot  capture 
abstract  system  failure  and  human  error  events  as  well 
as  the  logic  tree  representation.  [Ref.  2:  pp.  1-2] 

Also  during  the  deductive  stage  a  particular  method 
of  analysis  must  be  selected  and  employed.  Some  of 
those  methods  include:  fault  tree  analysis;  state  space 
approach;    decomposition     method;    circuit    stress 
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analysis;  network  reduction  technique;  block  diagrams; 
and  Monte  Carlo  simulation.  Each  has  its  advantages  and 
disadvantages.  The  primary  reason  fault  tree  analysis 
was  selected  is  that  ORION  is  still  in  its  design  stage 
and  fault  tree  analysis  is  particularly  beneficial  in 
developing  a  design. 

B.   PHASED  MISSIONS 

Phases  of  deployment  affect  a  satellite's 
reliability.  A  phase  change  occurs  whenever  the  size  of 
the  set  of  active  components  changes.  Another  way  to 
look  at  this  is  to  say  the  functional  organization  of 
the  system  changes  with  time.  During  each  phase  of  the 
mission  the  system  must  accomplish  a  specified  task. 

A  phased  mission  profile  causes  complexities  not 
present  in  a  single-phase  system.  However,  it  can  be 
transformed  into  an  equivalent  synthetic  single-phase 
system.  This  refined  profile  can  then  be  used  to  derive 
an  approximation  of,  or  bounds  on,  mission  or  satellite 
reliability. 

It  is  inappropriate  to  do  a  standard  reliability 
analysis  for  each  separate  phase,  and  then  multiply  the 
resulting  phase  reliabilities  together  as  if  they 
referred  to  independent  events.  The  implicit  assump- 
tion, that  each  component  is  functioning  at  the 
beginning  of  a  phase  when  the  system  has  functioned 
throughout  the  previous  phase,  is  not  necessarily  true. 
[Ref.  3:  pp.  11,  12]  A  component  must  have  survived  the 
first  n-1  phases  before  it  can  function  in  the  ntn 
phase.  Additionally,  through  the  sequence  of  phases,  a 
component  or  set  of  components  may  be  turned  on  and  off 
several  times  during  the  first  n-1  phases  before  it  is 
needed  during  the  n*-*1  phase.  These  are  all  reasons 
the  phase  reliabilities  cannot  be  merely  multiplied 
together   to   obtain   an  overall   system  reliability.  A 
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simple   example   follows   to   illustrate  phased  mission 
analysis . 

Example  2 . 1  A  system  with  two  independent 
components,  C^  and  C2 ,  is  designed  for  a  two-phased 
mission.  In  order  for  the  system  to  perform  the 
required  tasks,  at  least  one  component  has  to  function 
through  phase  1  and  both  components  have  to  function 
through  phase  2.  The  block  diagrams  for  this  system  is 


phase  1 


phase  2 


For  k=l,2,  let  p^i  denote  the  probability  that 
component  C^  functions  through  phase  1,  and  p^2  denote 
the  conditional  probability  that  component  C^  functions 
through  phase  2,  given  that  it  has  functioned  through 
phase  1.   The  system  reliability  for  phase  1  is 

Pi  =  Pll  +  P21  ~  PllP21»  anc*  t^ie  system  reliability  for 
phase  2,  given  that  both  the  components  have  functioned 
through  phase  1,  is  P2  =  P12P22*  Multiplying  these 
together  would  lead  to  the  mission  reliability 

P  "  (Pll  +  P21  -  P11P21  )P2lP22 

This  is  greater  than  the  correct  mission  reliability, 
which  is 

PllPl2P2lP22 

since  mission  success  is  achieved  only  if  both  compo- 
nents function  through  both  phases.  [Ref.  3:  pp.  12- 
13] 
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C.   MISSION  PROFILES 

An  additional  complication  to  phased  missions  is 
the  absence  of  an  exact  mission  profile  for  ORION. 
Since  ORION  is  designed  to  be  a  low-cost  general 
purpose  bus  for  an  electronics  package,  it  can  be 
employed  in  an  infinite  variety  of  profiles.  For 
purposes  of  this  analysis,  two  distinct  profiles  are 
analyzed . 

The  first  mission  profile  envisions  a  3-axis 
stabilized  sensor  platform  that  does  not  experience  an 
orbit  change.  After  the  satellite  has  been  ejected  from 
the  canister  it  becomes  autonomous.  A  short  time  delay 
is  needed  before  ORION  begins  its  mission  profile.  The 
time  delay  is  necessary  to  insure  ORION  is  sufficiently 
away  from  the  Shuttle  before  it  becomes  active.  This 
profile  is  partitioned  into  five  phases.  They  are: 

activation 

antenna  boom  deployment 

establish  orientation 

re-orientation  (if  necessary) 

station  keeping 
The  purpose  of  the  activation  phase  is  to  "wake  up" 
ORION  and  conduct  internal  checks  to  insure  ORION  is 
functioning.  The  antenna  deployment  phase  is  completed 
when  the  antenna  booms  are  locked  in  the  extended 
position.  The  specific  mission  of  the  orientation  phase 
is  to  establish  ORION's  spatial  and  orbital  orienta- 
tion. The  fourth  phase  may  or  may  not  occur.  If  it  is 
determined  that  ORION  is  not  properly  oriented  then  re- 
orientation is  essential.  This  phase  includes  any 
necessary  re-orientation  commands.  The  final  phase 
ensures  ORION  maintains  the  orbit(s)  specified  by  its 
mission  profile.  All  of  ORION's  subsystems  are  required 
(i.e.  must  function)  to  perform  station  keeping  tasks. 
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The  second  mission  profile  is  for  a  spin  stabilized 
satellite  with  an  orbit  change.  Such  a  profile  is 
characteristic  of  a  communications  satellite.  This 
profile  has  nine  phases  with  the  same  four  initial 
phases  as  the  first  mission  profile  (i.e.  activation, 
antenna  boom  deployment,  orientation  and  re- 
orientation). The  remaining  five  phases  are: 
-   orbit  boost 

orbit  fix 

orientation 

re-orientation  (if  necessary) 

station  keeping 
The  purpose  of  the  orbit  boost  phase  is  to  accelerate 
ORION  out  of  its  low  earth  orbit.  The  orbit  fix  phase 
establishes  ORION'S  mission  orbit.  The  remaining  three 
phases  are  identical  in  purpose  to  the  final  three 
phases  of  the  first  mission  profile.  Again,  all  of 
ORION'S  subsystems  must  function  to  perform  station 
keeping  tasks. 

In  both  mission  profiles  (or  in  any  mission  profile 
generated)  the  last  phase  utilizes  all  of  the  satel- 
lite's subsystems.  Since  all  subsystems  are  needed 
during  the  last  phase,  the  phased  mission  analysis 
dictates  that  every  subsystem  must  survive  the  entire 
mission  life.  The  resulting  synthetic  single-phase  is 
all  the  subsystems  operating  in  series  during  the 
entire  length  of  the  mission. 
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III.   FAULT  TREE  ANALYSIS  DESCRIPTION 

A.   BACKGROUND  TO  FAULT  TREE  ANALYSIS 

The  bulk  of  this  chapter  is  a  compilation  of 
information  extracted  from  reliability  literature.  It 
is  included  here  only  to  give  the  reader  a  background 
to  the  fault  tree  reliability  analysis  performed  in 
this  thesis. 

The  fault  tree  method  resulted  from  a  contract 
between  the  Air  Force  Ballistics  Division  and  Bell 
Telephone  Laboratories  for  the  study  of  an  inadvertent 
launch  of  the  Minuteman  ICBM.  The  Launch  Control  Safety 
Study  (1962)  first  described  fault  tree  analysis  in 
Volume  I  Section  VII  "Method  of  Inadvertent  Launch 
Control  Analysis."  Minuteman  I  was  in  production  when 
the  study  was  completed,  therefore  no  design  changes 
resulted  from  the  study  (effecting  design  changes  has 
become  a  primary  advantage  of  fault  tree  analysis). 
Because  the  results  of  the  analysis  were  so  close  to 
the  observed  data  of  Minuteman  I,  fault  tree  analysis 
was  used  during  the  design  phase  of  Minuteman  II.  Since 
then,  fault  tree  analysis  has  been  used  in  combination 
with  other  techniques  to  predict  and  improve  safety 
performance  and  reliability  in  complex  aerospace  and 
military  systems. 

After  initial  work  at  Bell  Telephone  Laboratories, 
development  of  the  fault  tree  method  continued  at  the 
Boeing  Company,  where  the  technique  was  applied  to 
manned  spacecraft.  Boeing  and  AVCO  published  fault  tree 
reports  on  the  Minuteman  II  system  in  March  1963,  and 
January  1964,  respectively.  In  June  1965,  Boeing  and 
the  University  of  Washington  co-sponsored  a  System 
Safety  Symposium   in  Seattle.  Five  of  the  presentations 
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were  fault  tree  articles  by  Boeing  employees.  A  paper 
by  A.  B.  Mearns  of  Bell  Telephone  Laboratories  also 
described  fault  trees.  These  six  papers  and  the  Launch 
Control  Safety  Study  are  the  main  references  cited  in 
articles  after  1965.  [Ref.  4:  p.  3] 

Fault  tree  analysis  consists  of  six  steps: 

1.  define  the  top  event  to  be  investigated, 

2.  gain  an  understanding  of  the  system, 

3.  construct  the  tree, 

4.  collect  quantitative  data, 

5.  evaluate  the  probability  of  the  top  event, 
and 

6.  analyze  the  results. 

The  top  event  of  the  tree  should  be  well  defined  in 
terms  of  operating  modes  of  the  system,  environmental 
conditions  and  time  limits.  However,  the  failure  must 
represent  a  major  system  malfunction  which  threatens 
personnel  or  equipment. 

Generally  accepted  symbols  are  necessary  to 
represent  differences  in  events  and  logic  relationships 
since  the  fault  tree  is  graphic  as  well  as  analytic.  In 
addition,  several  people  at  separate  locations  and  at 
different  times  may  contribute  to  the  analysis.  The 
following  sections  describe  events,  logic  gates  and 
special  symbols. 

Instead  of  being  hardware  oriented,  fault  tree 
analysis  is  event  or  failure  oriented;  that  is,  it 
examines  a  particular  system  failure  for  all  possible 
causes.  Control  of  the  system  failure  through  knowledge 
of  its  causes  is  the  analysis  objective.  The  tree  is  a 
graphical  representation  of  possible  causes  of  a  major 
failure  which  appears  at  the  top  of  the  tree  (called 
the  top  event).  During  construction,  the  tree  grows 
downward  and  outward  as  failures  and  causes  are 
described   in   increasing   detail.   When   the   tree   is 
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completed,  probabilities  are  associated  with  the 
failures  lowest  on  the  tree.  The  bottom  events  concern 
failures  of  basic  components  which  can  be  associated 
with  probabilities.  The  assigned  probabilities  are 
combined  as  dictated  by  logic  gates  to  give 
probabilities  for  events  higher  on  the  tree.  The 
combination  of  probabilities  continues  until  the 
complex  top  event  has  a  probability  calculated  from  the 
accurate  component  data  at  the  bottom  of  the  tree.  In 
general,  fault  tree  analysis  involves  two  kinds  of 
reasoning:  the  thought  processes  involved  in 
construction  produce  a  downward  flow,  whereas  the 
evaluation  of  probability  and  operation  of  the  logic 
gates  dictate  an  upward  flow.  [Ref.  4:  pp.  1,6,7]  See 
Figure  3.1  for  an  example  of  a  fault  tree. 

B.   PURPOSE  OF  FAULT  TREES 

Generally,  fault  trees  serve  three  purposes. 

First,  they  aid  in  determining  the  possible  causes 
of  a  system  failure.  When  properly  used,  the  fault  tree 
often  leads  to  discovery  of  failure  combinations  which 
otherwise  might  not  have  been  recognized  as  causes  of 
the  top  event . 

Secondly,  they  serve  as  a  display  of  results.  If 
the  system  design  is  not  adequate,  the  fault  tree  can 
be  used  to  show  what  the  weak  points  are  and  how  they 
lead  to  undesirable  events.  If  the  design  is 
adequate,  the  fault  tree  can  be  used  to  show  that  all 
conceivable  causes  have  been  considered. 

Lastly,  they  provide  a  convenient  and  efficient 
format  helpful  in  the  computation  of  the  probability  of 
system  failure.  [Ref.  5:  p.  10] 


20 


Bottom  Events 


Figure  3.1   Example  of  a  Fault  Tree 
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C.   ASSUMPTIONS 

In  selecting  fault  tree  analysis  as  the  analysis 
tool,  some  assumptions  had  to  be  made.  Fault  tree 
analysis  requires  each  component  to  be  either  in  a  go 
or  no-go  status^.  Typically,  a  spacecraft  has  functional 
states  which  are  considered  as  degraded.  During  the 
design  of  ORION,  subsystems  were  engineered  for  more 
than  just  their  design  envelope.  An  example  is  the 
propulsion  system.  More  fuel  than  an  extreme  mission 
profile  would  require  is  designed  into  ORION.  As  such, 
a  true  degradation  will  exist  in  the  working  environ- 
ment (i.e.  fuel  is  used  throughout  the  mission  and  its 
tank  is  not  always  full),  and  the  propulsion  system  is 
considered  to  either  work  or  not  work. 

System  components  are  assumed  to  have  statistically 
independent  lives_.  No  component  can  be  repaired  or 
replaced,  and  each  component  has  a  finite  life.  [Ref. 
6:  p.  10]  As  with  the  components,  only  two  states  of 
the  system  are  recognized,  functioning  or  failed.  It  is 
assumed  throughout  this  thesis  that  the  state  of  the 
system  (i.e.  functioning  or  failed)  is  completely 
determined  by  the  states  of  its  components. 

Each  component  will  be  tested  prior  to  installation 
and  again  after  installation  to  insure  the  system 
functions  properly.  The  total  test  time  for  every 
component  will  be  at  least  500  hours.  During  these 
tests  the  components  will  have  an  opportunity  to  fail 
and  be  replaced.  If  after  all  the  tests  the  component 
is  still  functioning,  it  is  assumed  it  will  face  a 
constant  failure  rate  during  its  mission  life.  This 
assumption  means  the  exponential  distribution  will  be 
used  in  determining  a  component's  survival  probability. 

The  physical  structure  of  the  satellite  will 
undergo  stresses  and  strains.  Throughout  the  analysis 
it   is   assumed   the   satellite   will   not   be  stressed 
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outside  of  Its  design  envelope.  This  means  no  component 
will  experience  loads  greater  than  or  equal  to  its 
elastic  limit.  Additionally,  no  part  will  experience 
fatigue  failure  due  to  cyclic  mechanical  or  thermal 
stress  loading.  It  is  also  assumed  the  shared  stress 
environment  creates  associated  components.  The  concept 
of  association  will  be  addressed  later. 

All  basic  events  are  assumed  to  be  relevant  to  the 
event  tree.  This  means  each  basic  event  appears  in  the 
union  of  the  min  cut  sets.  A  formal  definition  of 
relevant  components  is  presented  in  Section  J  of  this 
chapter . 

D.   ADVANTAGES  OF  FAULT  TREES 

There  are  some  distinct  advantages  of  fault  tree 
analysis  that  make  it  particularly  suited  for  the 
reliability  analysis  of  ORION.  These  advantages 
include : 

1.  the  clarity  of  subsystem  interrelation  is  ex- 
pressed by  the  tree. 

2.  the  fact  that  the  tree  can  be  quantified. 

3.  enabling  the  analyst  to  focus  on  one  particular 
undesired  event  at  a  time. 

4.  for  constructing  meaningful  fault  trees,  the 
analyst  has  to  interact  with  the  designers  and 
operators  to  fully  understand  the  system.  The 
insight  obtained  during  this  process  is  of  major 
benefit  to  system  design,  since  weaknesses  are 
spotted  and  corrected  during  this  period. 

5.  the  graphical  representation  of  the  logic  struc- 
ture provides  a  visual  tool  to  both  the  engineers 
and  management  and  is  useful  for  justifying 
design  changes  and  performing  trade  off  studies. 

6.  the  fault  tree,  being  in  essence  a  top-down 
failure  mode  and  effect  analysis,  lends  itself  to 
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better  organization  and  control  than  the  conven- 
tional failure  mode  and  effect  analysis.  Because 
of  the  top-down  approach,  it  also  offers  more 
flexibility  in  terms  of  termination  at  any  hard- 
ware level  as  well  as  selectively  exploring 
certain  critical  faults  in  greater  depth. 
7.  the  fault  tree  can  be  used  to  obtain  minimal  cut 
sets  which  define  the  modes  of  system  failure  and 
identify  critical  components.  [Ref.  7]  Minimal 
cut  sets  are  addressed  in  paragraph  G  of  this 
chapter . 

E.  DISADVANTAGES  OF  FAULT  TREES 

Though  there  are  some  general  drawbacks  to  fault 
tree  analysis,  these  shortcomings  do  not  adversely 
affect  the  analysis  of  ORION.  Fault  tree  analysis  can 
be  time  consuming,  expensive  to  produce,  and  include 
overwhelming  detail  for  large  or  complex  systems.  Since 
ORION  is  to  be  a  low  cost,  multi-purpose  bus,  a  fault 
tree  analysis  is  not  necessarily  complex  or  time 
consuming.  Another  general  drawback  is  it  requires 
considerable  effort  to  include  all  types  of  common 
cause  failures  in  the  fault  tree.  A  fault  tree  cannot 
readily  handle  priority  AND  gates  and  elements  in  cold 
standby.  A  priority  AND  gate  restricts  its  inputs  to  a 
specified  sequence.  ORION  has  no  feature  requiring  a 
priority  AND  gate  and  has  no  component  in  cold  standby. 

F.  CONSTRUCTION  OF  A  FAULT  TREE 

There  are  three  groups  of  symbols   commonly  used  to 

construct  a  fault  tree.  The  three  groups  presented  here 

are   the  events,   the   logic   gates   and   some  special 
symbols . 
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1 .  Events 

Four  kinds  of  events  are  represented  by  the 
four  symbols  in  Figure  3.2.  A  circle  represents  a 
clearly  defined  failure  of  a  basic  component.  In  con- 
trast to  the  exactness  represented  by  the  circle  is  the 
uncertainty  associated  with  a  diamond  event,  which  is  a 
failure  not  well  understood  because  of  absence  of 
information  or  significance.  Circles  are  called  primary 
events  and  diamonds  secondary  events.  Collectively  they 
are  called  bottom  events.  As  such,  they  are  on  the 
bottom  of  the  tree,  have  reliabilities  associated  with 
them,  and  represent  the  depth  of  resolution.  Normal, 
frequently  occurring  events  are  symbolized  by  a  house- 
shaped  figure.  An  example  is  the  satellite  being 
eclipsed  by  the  earth.  Without  sunlight  the  solar 
panels  will  not  generate  a  voltage.  Though  no  voltage 
is  considered  a  failure,  this  condition  is  not  the 
result  of  a  broken  panel.  Finally,  several  events 
combined  together  by  a  logic  gate  form  a  combination 
event  represented  by  a  rectangle.  Rectangles  are  called 
gate  events.  Gate  nodes  correspond  to  intermediate 
events  while  the  top  node  corresponds  to  a  very  serious 
system  failure  event. 

2 .  Logic  Gates 

Many  different  logic  gates  are  used  to  combine 
events,  but  three  simple  ones  are  sufficient.  These 
three  (AND,  OR,  and  INHIBIT)  are  illustrated  in  Figure 
3.3.  Note  that  the  inputs  enter  from  below  and  the 
output  comes  from  the  top  of  the  gate.  The  AND  gate 
produces  an  output  if  all  the  inputs  exist  simulta- 
neously. The  OR  gate  produces  an  output  when  at  least 
one  of  the  input  conditions  occur.  These  two  gates  are 
the  same  as  ordinary  usage  of  the  words  "and"  and  "or." 
The  INHIBIT  gate  produces  output  when  the  input  is 
present  and  a  specified  condition  exists.  In 
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Circle 


Diamond 


Basic  component  failure 


Failure  undeveloped  due  to  lack  of 
information  or  lack  of  significance 


Normally  occuring  event 
probability  close  to  one 


House 


Rectangle 


Ellipse 


Combination  of  other  three  events 
does  not  appear  at  lowest  level 
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Priority  description  or  restriction 
placed    on  the  gate  or  an 
indicator  of  multiple  components 


Figure  3.2  Events 
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AND  Gate 


Priority  AND  Gate 


Description  of  priority 
or  restriction  on  inputs 


OR  Gate 


Restricted  OR  Gate 


Restriction  on  input 
combinations  producing 
output 


Figure  3.3  Logic  Gates 
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words,  the  output  is  "inhibited"  by  lack  of  the  stated 
condition.  The  INHIBIT  gate  can  be  compared  to 
FORTRAN'S  logical  IF  statement.  The  FORTRAN  statement 
"IF  (A  .EQ.  B)  GOTO  1030"  states  that  if  the  condition 
A  equals  B  is  satisfied,  go  to  statement  number  1030. 
If  the  condition  is  not  satisfied,  continue  in  normal 
sequence . 

3 .   Special  Symbols 

Shown  in  Figure  3.4  are  three  special  symbols 
representing  parts  of  trees  used  to  reduce  redundancy. 
These  comprise  the  last  set  of  symbols  presented  for 
construction  of  a  fault  tree. 

The  hexagon  refers  to  another  fault  tree  which 
is  substituted  where  the  symbol  appears.  A  good  use  for 
this  symbol  would  be  when  a  particular  failure  needs 
further  definition.  The  detailed  tree  would  be  headed 
with  another  hexagon  and  bear  the  same  label  as  the 
hexagon  in  the  original  tree. 

To  repeat  another  portion  of  the  same  tree,  a 
pair  of  triangles  is  used.  The  portion  of  the  tree 
below  the  triangle  on  the  left  is  substituted  at  the 
point  where  the  triangle  appears  on  the  right. 

The  last  special  symbol  (an  ellipse)  indicates 
identical  components  either  in  series  or  parallel.  In 
this  case  only  one  component  is  mentioned  and  the 
redundancy  is  shown  by  an  ellipse  around  the  input.  The 
number  of  components  is  written  beside  the  symbol. 

G.   MINIMAL  CUT  SETS 

A  listing  of  minimal  cut  sets  (or  min  cut  sets  or 
MCS)  is  useful  for  design  purposes  by  helping  to 
determine  the  "weakest  link(s)"  in  the  system.  A  cut 
set  is  defined  as  any  set  of  primary  and  secondary 
events  whose  occurrences  cause  the  top  event  to  occur. 
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Figure  3.4  Special  Symbols 
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A  cut  set  is  minimal  if  it  cannot  be  reduced  and  still 
ensure  the  occurrence  of  the  top  event. 

The  algorithm  used  to  identify  min  cut  sets  is 
based  on  the  fact  that  AND  gates  always  increase  the 
size  of  a  cut  set  while  an  OR  gate  always  increases  the 
number  of  cut  sets. 

The  simplest  and  clearest  way  to  explain  the  min 
cut  set  algorithm  is  to  illustrate  its  operation  in  an 
example.  The  event  tree  for  Example  3.1  is  Figure  3.5. 

Example  3.1: 

The   algorithm   begins   with   the   gate  immediately 

below  the  top  event.  If  the   gate  is   an  OR   gate,  each 

input  is  an  entry  in  separate  rows  of  a  list  matrix.  If 

the  gate  is  an  AND  gate,   each  input   is  listed   in  the 

first  row   of  a  list  matrix.  Since  the  gate  immediately 

below  the  top  event  in  Figure   3.5  is   an  OR   gate,  the 

construction  of   the  list   matrix  begins  with  inputs  1, 

Gl ,  and  2  in  separate  rows  as  follows: 

1 

Gl 

2 

Since  any  one  of  the  inputs  can  cause  the  top  event  to 
occur,  each  will  be  a  member  of  a  separate  cut  set. 

The  idea  of  the  algorithm  is  to  replace  each  gate 
by  its  input  gates  and  basic  events  until  a  list  matrix 
is  constructed,  all  of  whose  entries  are  basic  events. 
The  rows  will  then  correspond  to  cut  sets. 

Since  Gl  is  an  OR  gate,  Gl  is  replaced  by  its  input 

events  in  separate  rows  as  follows: 

1 

G2 

3 

2 

Likewise,   G2   is   replaced   by  its  input  events  in 

separate  rows. 
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Figure  3.5  Fault  Tree  for  Example  3.1 
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1 

4 
5 
G3 
3 
2 

Since  all  inputs  to  an  AND  gate  must  occur  to  cause 
the  intermediate  event  above  the  AND  gate,  this  shows 
that  an  AND  gate  increases  the  length  of  its  row.  An  OR 
gate,  on  the  other  hand,  increases  the  number  of  rows 
in  the  list  matrix. 

Replacing  G3   (which  is  an  AND  gate)  by  its  inputs, 

the  list  matrix  becomes: 

1 
4 
5 
G4  ,  G5 
3 
2 

Replacing  G4  by  its  inputs,  the  list  becomes: 

1 
4 
5 
6,  G5 
G6,  G5 
3 
2 

Continuing  until  the  list  contains  only   primary  or 

secondary  events  the  list  stops  with  these  (rearranged) 

cut  sets: 

1  6,9  7,9  8,9 

2  6,10  7,10  8,10 

3  6,11  7,11  8,11 

4  6,12  7,12  8,12 

5  6,13  7,13  8,13 

In  this  example  basic  events  are  not  repeated.  If 
basic  events  are  not  repeated  all  of  the  cut  sets  are 
minimal  cut  sets.  This  means  no  one  cut  set  is 
contained  in  any  other  cut  set.  Generally,  if  basic 
events  are  repeated  in  the  tree,  the  algorithm  does  not 
determine  only  min  cut  sets.  So,  when  basic  events  are 
repeated  somewhere  in  the  tree  the  list  matrix  must  be 
searched  to  eliminate  cut  sets  which  contain  other 
sets.  The  final  list  will  then  contain  only  min  cut 
sets  . 
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H.   MINIMAL  PATH  SETS 

The  dual  to  a  cut  set  is  a  path  set.  Path  sets  are 
identified  through  the  dual  event  tree  and  consist  of 
the  events  necessary  to  make  the  system  function  rather 
than  fail.  To  draw  the  dual  event  tree,  replace  AND 
gates  with  OR  gates  and  OR  gates  with  AND  gates  in  the 
original  tree.  Each  event  must  also  be  replaced  with  a 
dual  description.  Failures  in  the  original  tree  become 
successes  in  the  dual  (new)  tree.  In  general,  the  dual 
basic  events  are  the  non-occurrence  of  the  original 
basic  events. 

As  in  the  cut  sets,  the  focus  is  on  the  minimal 
path  sets.  A  path  set  is  minimal  if  it  cannot  be 
further  reduced  and  still  insure  the  top  event  (now  a 
system  success  )  .  Min  path  sets  are  determined  by 
applying  the  same  min  cut  algorithm  to  the  dual  (new) 
tree  . 

I.   PROBABILITY  EVALUATION  OF  FAULT  TREES 

To   build   the   mathematical  structure  necessary  to 

derive  system  reliabilities  the   states  of   a  component 

must  first  be  defined.  To  indicate  the  state  of  the  itn 

component  a  binary  indicator  variable  x-^  is  assigned  to 

component  i : 

I   if  component  i  is  functioning 
x.  =  .      . 

1         [0  if  component  i  is  not  functioning 

where  i  -=  1,...,  n,   and  n   is  the  number  of  components 

in   the   system.   Additionally,   a   binary    variable 

indicates  the  functioning  of  the  system: 

1     if  the   system    is   functioning 


[0  if  the  system  is  not  functioning 
Since  it  is  assumed  that  the  state  of  the  components 
completely  determines  the  state  of  the  system  the 
system    state    can    be    represented    as 

<J>  =  4>(x) 
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where  .       . 

x  =  (xv...,xn). 

The  function  4>(  x )  is  called  the  structure  function  of 
the  system.  The  number  of  components  (n)  in  the  system 
is  called  the  order  of  the  system.  As  an  example,  the 
structure  function  of  a  series  of  n  components  is 

n 

4>(x)  =     x    -   min(jclf  ...  ,x  ). 

1  »   I  1      n 

i   =  1 

Consistent  with  above,  $ ( x )  is  1  only  if  all  the 
components  function. 

Similarly,  for  a  parallel   arrangement  of   n  compo- 
nents, the  structure  function  becomes 

n 
4>(x)  =   [  x      =  max  (x  ,  .  .  .  ,  x  ). 

i   =1 
or  equivalently 

n 


[]*_  =  !-  n  (i-*,). 


This  returns  a  value  of  1  if  there  is  at  least  one 
functioning  component  (i.e.  3i:  x  -  1).  Both  notations  are 
consistent  with  their  respective  usages  in  logic. 

A  k-out-of-n  structure  functions  if  and  only  if  at 
least  k  of  the  n  components  function.  This  structure 
function  is  shown  by 

n 

i  if    y.  x    ~  k 
4>(x)  =  f    l=[l 

o  if  y  x  <  k 
i  =  i 

Fault  trees   with  AND  and  OR  gates  create  structure 
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functions  which  are  coherent2.   Then   given   a  coherent 
structure  (  <}>  )  of  order  n 


n 


x.    <  4>(x)  <  [}Xi 
i  =1 


t  =  1 


This  means  a  system's  performance  is  bounded  below  by  a 
series  representation  and  above  by  a  parallel 
representation.  [Ref.  8:  pp.  6-8] 


With  the   j 


th 


(j   -If  ...  »  p)  min  path  set  P-«  ,  we 
P    (called  the   minimal  path 


may  express  a  structure    p 

series  structure)  with  arguments  x. ,  I  €  p  : 

p/x)  =  n  xL  • 

i  e  p 

j 

The  structure  p  is  binary  and  takes  on  the  value  1  if 
all  the  components  in  the  j*-*1  min  path  set  function. 
This  expression  depicts  a  path  set  as  a  series 
arrangement  of  the  path  set's  elements.  A  system  will 
function  when  at  least  one  min  path  set  functions.  The 
structure  function  can  then  be  written  as 

P  p 

<t>(x)  -  []  p  (x)  -  1  -  f] 

j  =  i 

function  can  be  viewed  as  a 
parallel  arrangement  of  the  path  sets.  This  is  commonly 
referred  to  as  a  paral lei -series  arrangement. 

Similarly,  with  minimal  cut  sets,  the  structure  k 
(called  the  minimal  parallel  cut  structure)  can  be 
expressed  with  arguments  x  ,  i  £  k   and  j  —   1 ,  .  .  . ,  k\ 


1  -  p  (x) 
j 


J   =1 
This  means  the  structure 


K  (X) 

J 


Uv 

i  6  K 


2A  coherent  structure  being,  roughly,  one  whose 
performance  does  not  deteriorate  when  failed  components 
are  replaced  by  functioning  ones  [Ref.  8:  pp.  191.192J. 
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which  is  binary  and  takes  on  the  value  0  when  all  the 
components  in  the  j""1  min  cut  set  fail,  and  1 
otherwise . 

Since  the  system  will  fail  if  and  only  if  at  least 
one  of  the  min  cut  structures  fails,  the  structure 
function  can  be  viewed  as  a  series  arrangement  of  the 
cut  sets  with  the  elements  of  a  cut  set  arranged  in 
parallel.  Such  an  arrangement  can  be  expressed  as 


4>(x)  =     K.W 

j  =  i 


k 


This  is  referred  to  as  a  series-parallel  arrangement. 

Initially,  the  components  are  assumed  to  be  statis- 
tically independent.  If  the  state  of  the  itn  component 
is  random  (denoted  as  X-^  )  then 

P[X  =  1  )  =  p    =  E[X   ]  for  i  =   1 n 

where   E[X]  means   the    expected   value   of   X.   The 

probability  that  i  functions,  p^ ,  is  referred  to  as  the 

reliability  of   component   i.   In  similar  fashion,  the 

reliability  of  the  system  is 

P[$(X)  =  I  ]  =  r   =  £[fJ>(X)]  . 

The  reliability  of  the  k-out-of-n  case  with 
identical  components  and  reliabilities  becomes  [Ref.  8: 
pp.  20-21] 

n        , 

V  (  n  \Jri       ~\n  -J 


_1  \j  )pJ^  -  p) 

J  =  k 


The  preceding  formula  holds  under  the  assumption  of 
component  independence.  In  reality,  this  is  not  usually 
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the  case.  Independence  will  be  replaced  with  a  form  of 
positive  dependence.  Components  can  become  positively 
dependent  in  various  ways.  For  example,  if  a  subsystem 
has  several  like-components  and  one  of  them  fails,  the 
subsystem  remains  functional  because  the  remaining 
functioning  components  share  the  load.  Another  way 
positive  dependence  is  created  is  when  all  the 
components  are  subjected  to  the  same  stress  environ- 
ment. The  components  of  ORION  fall  in  this  category.  If 
the  reliability  of  a  series  arrangement  of  independent 
components  is  calculated,  when  in  fact  they  are 
associated^,  the  resultant  reliability  will  be  an 
underestimate  of  the  true  reliability.  The  opposite 
holds  for  parallel  systems.  [Ref.  8:  pp.  29,32] 

The  following  min-max  bounds  theorem  is  presented 
in  Reference  8,  page  37,  along  with  the  theorem's 
proof . 

Let  $  be  a   coherent  structure.  Let  P^ ,  P£ » • . • »  Pp 
be  the  component  min  path  sets   corresponding  to  $ 
and  let   K^ ,  K2 , . . . ,  K^  be   the  component   min  cut  sets 
corresponding   to  $  .   If   components   are  associated, 
then  the  following  bounds  hold: 

max     r— ,  min    j  y 

n^  wx>  =  1 1  *  .  <  < .  Li  pi 

l^<p    ^   <  1  <S<*  .iK 

r  s 

Another,   equivalent   relationship   can  be  expressed  in 
terms  of  q^  -  1-Pi-  The  above  bounds  now  become: 

max  ,_,  min 


q     <  P   4>(X)  =  1   <  E[<p   X)  < 
:  <  s  <  k      l  \      '  1  <  r  <  p   L> 

5  1 


q, 


J.   IMPORTANCE  OF  BASIC  EVENTS 

There  are  two  kinds   of   component   importance.  The 
first   is    structure   importance   and   the   second   is 


Association  is  a  particular  form  of  positive 
dependence  [Ref.  8:  p.  _lo0]  which  can  be  a  reasonable 
assumption  in  modeling 


iption  In  modeling  ORION. 
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reliability  importance.  Before  discussing  each  of 
these,  the  concept  and  definition  of  relevance  must  be 
established.  The  following  definition  will  be  used. 

The  it*1  component  is  irrelevant  to  the  structure 
$   ,  if  $   is  constant  in  xlt    that  is,   <J>(1. ,  x)   =  <$>(0 .,  x) , 
V(  ■   ,  x)  .    4  Otherwise  the  1th  component  is  relevant  to 
the  structure.  [Ref.  8:  p. 4] 

The  structure  importance  of  a  component  focuses  on 
whether  or  not  a  component  changes  the  structure 
function  from  0  to  1  or  from  1  to  0 .  In  essence,  the 
structural  importance  is  concerned  with  only  relevant 
components.  If  component  i  is  relevant,  then  the 
following  property  holds, 

4>(1  ,  .t)  -  4>(0.,  x)    =  1    for  some  (  ■  .  ,  x). 


When  this  condition  exists  (l-j^x)  is  called  a  critical 
path  vector  for  i  .  Let  n  (i)  denote  the  total  number  of 
critical   path   vectors   for   i.   This   means 


n Ai)    =    ]T    [<t>(l.,  x)  -  4>(0.,  x)]  . 
{ x  |  x.  =  l } 

This  is  also  the  same  total  number  of  critical  path 
sets  for  i.  [Ref.  8:p.  13] 

The   following   is   a    credible   measure    of   the 
structural  importance  of  component  i : 

/  (i)  =  >    [$(1  ,  x)  -  <J)(0  ,  x)|  . 

T       nn  -   1      —         i  i 

2      {x|x.  =  1} 

This  depicts  the  proportional  number  of  the  2n~l 
outcomes  which  have  x^=l  in  the  critical  path  vectors 
for  i.   As  a   result,  for   any  given  $   ,  the  components 


^  Notation 


(l.,x)  -  (Xj,...,  x(_r  l,xj  + 

(  •   .  ,X)  **    {xlt...tX._v   ■     ,Xi+v.     -,  Xn) 
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1 \] 

1 V 


may  be  ordered  (based  on  structural  importance)  by 
ordering  1(1),...,   I  (n) .         [Ref.  8:p.  14] 

The  second  type  of  importance  is  the  component's 
reliability  importance.  This  takes  into  account  the 
component  reliabilities  as  well  as  the  system 
structure.  If  components  can  be  ranked  according  to 
their  importance  to  the  system  reliability,  this 
ranking  information  can  be  helpful  in  determining  which 
components  should  have  the  highest  priority  for 
research  and  development.  This  allows  managers  to 
expend  effort  and  money  more  wisely.  [Ref.  8:p.  26] 

Intuitively,  it  would  seem  a  component's 
reliability  importance  could  be  measured  by  observing 
the  rate  of  change  in  the  system's  reliability  as  the 
component's  reliability  changes.  The  reliability 
importance  Ir(i)  of  component  i  is  given  by 

/  (i)   =  E[<p(\    ,  x)  -   <J>(0  ,  x)}   . 

r  i  l 

This  definition  holds  even  if  the  components  are 
associated.  [Ref.  8:  pp.  26-27] 
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IV.  SYSTEM  RELIABILITY  ANALYSIS 

Using  a  copy  of  the  schematics  of  ORION  (Appendix 
A)  and  maintaining  a  constant  interface  with  the 
designers,  the  ORION  fault  tree  was  developed  (Appendix 
B).  Once  the  fault  tree  was  established  the  min  cut 
algorithm  was  applied  to  it.  This  algorithm  revealed  82 
minimal  cut  sets.  Of  these  cut  sets  22  are  single 
element  sets,  29  are  double  element  cut  sets,  27  are 
triple  element  cut  sets,  2  are  five  element  cut  sets,  1 
is  a  six  element  cut  set  and  1  is  an  eleven  element  cut 
set.  Once  these  cut  sets  were  established,  the  dual 
tree  was  constructed  and  the  min  paths  determined. 
There  are  33,890,503,680  distinct  paths,  of  which  the 
vast  majority  is  due  to  the  large  number  of  paths 
through  the  solar  strings.  In  general,  the  paths  are 
formed  by  combining  the  following  components: 

2  out  of  3  attitude  detection  components 

sun  sensor 

earth  sensor 

1  out  of  4  magnetometers 
1  computer 

4   out    of   6    bubble   memory   cards   each   with 
functional  heater  strips  and  thermistors 
1  shunt  regulator 
1  out  of  2  batteries 
14  out  of  24  solar  strings 
4  solar  connectors 

3  out  of  4  momentum  wheels 

1  out  of  2  spin   up   thrusters   with   a  functional 

solenoid 

1  out   of  2   spin  down  thrusters  with  a  functional 

solenoid 
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1  out   of  2   nutation  thrusters   with  a  functional 
solenoid 

1  orbit  insert  thruster  with  a  functional  solenoid 

2  pyrotechnic  valves 

2  fill  and  drain  valves 

2  pressurant  tanks 

1   hydrazine   tank   with   functioning   heaters  and 

thermistors 

Hydrazine  line  intact  with   functional  heaters  and 

thermistors 

1  out  of  2  antennas  functioning  and  deployed 

1  combiner/splitter  in  the  TT&C 

1  TT&C  transceiver 

1  TT&C  interface  hardware 

Pressurant  line  intact 

1  heater  control  hardware 

1  bubble  storage  controller 

1  attitude  control  interface 
If  the  solar  strings  are  considered  as  a  single 
module,  the  number  of  paths  reduces  to  17,280.  Similar 
modular  reductions  can  take  place  when  a  subsystem 
consists  of  k  out  of  n  like-components.  All  but  the 
attitude  detection  subsystem  can  be  reduced  to  an 
equivalent  single  component.  This  reduces  the  final 
number  of  paths  to  three. 

The  three  reduced  paths  were  used  to  calculate  the 
structural  importance  of  the  components.  The  calcula- 
tions reveal  seven  levels  of  relative  importance  in  the 
following  hierarchy  (1  being  the  most  relevant): 

1.  all  basic   components  except   those  listed  below. 
(A  detailed  list  is  given  in  Appendix  C); 

2.  a  momentum  wheel; 

3.  a  bubble  memory  card  with  functioning  heaters  and 
thermistors ; 

4 .  a  solar  string; 
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5.  the  sun  sensor,  the  earth  sensor,  a  nutation, 
spin  up,  and  spin  down  thruster  with  their 
functioning  solenoids; 

6.  a  battery,  an  antenna,  a  hydrazine  tank  heater 
and  a  thermistor;  and 

7.  a  magnetometer. 

A  schematic  of  the  path  sets  is  at  Appendix  C. 

The  reliability  importance  cannot  be  specifically 
calculated  since  the  actual  hardware  for  several 
subsystems  has  not  been  defined.  A  Lotus  1-2-3 
spreadsheet  was  developed  so  the  designers  can  input 
component  reliabilities  as  the  subsystems  are  defined. 
The  spreadsheet  can  then  calculate  the  system's 
reliability  boundaries  and  components'  reliability 
importance.  The  data  (i.e.  component  failure  rates)  for 
inclusion  in  the  spreadsheet  come  from  two  major 
sources,  JPL  TR  32-1505  and  MILSTD  217D.  The  spread- 
sheet identifies  the  lower  boundary  as  the  most 
reliable  path  and  the  upper  boundary  as  the  least 
reliable  cut.  The  number  of  paths  to  compare  is 
significantly  reduced  by  using  a  modular  approach  (i.e. 
using  the  binomial  distribution  to  calculate  the 
reliability  of  a  k  out  of  n  subsystem).  Such  a 
reduction  allows  the  problem  to  be  handled  by  a 
spreadsheet.  Even  in  a  reduced  form,  the  model 
maintains  the  ability  to  discern  an  impact  on  the 
system  reliability  when  changing,  for  example,  only  a 
solar  string's  reliability.  The  spreadsheet  is  then 
singularly  important  because  it  can  readily  do  this 
"what-if"  analysis. 
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V.  CONCLUSION 

A.  OVERALL  FINDINGS 

Throughout  the  analysis,  it  became  apparent  that 
the  fault  tree  is  a  "living"  document.  It  must  be 
maintained  to  reflect  the  existing  design  if  it  is  to 
aid  in  the  design  process.  The  fault  tree  can  help 
explain  the  cause  of  a  failure  after  design  is  complete 
and  the  system  is  on  station,  but  only  if  the  fault 
tree  reflects  the  current  design.  Aiding  in  the  design, 
and  determination  of  a  failure  after  system  employment 
are  strong  motives  to  maintain  the  fault  tree.  This 
thesis  includes  sufficient  background  so  maintenance 
can  be  done  to  insure  the  longevity  of  the  fault  tree. 

A  total  of  82  cut  sets  were  determined  and  the 
components'  structural  importance  derived.  The 
information  can  be  used  to  help  focus  research  and 
budget  efforts. 

Lastly,  a  spreadsheet  was  developed  to  model  the 
system's  reliability  boundaries  as  well  as  component 
reliability  importance. 

B.  RECOMMENDATIONS 

There  are  five  recommendations  based  upon  the  fault 
tree  analysis.  They  are: 

1.  as  each  subsystem  is  developed,  conduct  a 
detailed  fault  tree  analysis  of  that  subsystem. 

2.  after  a  subsystem  is  constructed,  conduct  a 
circuit  stress  analysis  of  each  component  and  the 
subsystem. 

3.  as  the  design  may  change,  maintain  the  fault 
tree . 

4.  for  electrical  components,  use  the  designing 
engineer's   reliability   based   diagram   to   help 
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construct   the   fault   tree.   If  a  diagram  is  not 

available,  request  one  be  made. 
5.   focus   research   and   budget   attention   on  those 

components  listed  with  the  highest  structural  and 

reliability  importance. 
Due  to  ORION'S  design  to  be  low  cost  and 
reconf igurable ,  ORION  is  an  excellent  candidate  for 
constellation  proliferation.  A  logical  follow-on  study 
to  this  one  would  be  a  study  of  a  constellation's 
reliability. 
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APPENDIX  A 

ORION  SUBSYSTEM  SCHEMATICS 

The  enclosed  schematics  were   used   to   develop  the 
fault  tree  for  ORION. 
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APPENDIX  B 

ORION  FAULT  TREES 

The  large  fault  tree  developed  is  broken  into  small 
sections  and  is  included  in  this  Appendix. 
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Figure  B.1  Top  of  Fault  Tree 
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Figure  B.2  Control  Fault  Tree 
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Figure  B.5  Thruster  Fault  Tree 
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APPENDIX  C 

ORION  PATH  AND  CUT  SETS 

Use  of  the  min  cut  algorithm  produced  82  minimal 
cut  sets.  Their  basic  component  designation  and 
description  are  listed  below: 

Single  Element  Cut  Sets 
Yl   Attitude  control  interface  electronics 
Y3   Data  storage  controller 
Y13  Heater  control  hardware 
Y14  Computer 
Y15  Shunt  regulator 

Y42  Propulsion  interface  electronics 
Y43  Hydrazine  line 
Y44  Hydrazine  line  heater 
Y45  Hydrazine  line  thermistor 
Y46  Pressurant  line 
Y47  Hydrazine  tank 
Y52  and  Y53  Fill  and  drain  valve 
Y54  and  Y55  Pressurant  tank 
Y56  and  Y57  Pyrotechnic  valve 
Y66  Orbit  thruster 
Y67  Orbit  thruster  heater 
Y74  TT&C  combiner  splitter 
Y75  TT&C  transceiver  hardware 
Y76  TT&C  interface  hardware 

Double  Element  Cut  Sets 
Y2 ,  Y31   Sun  sensor  and  earth  sensor 
Y16,  Y17  Both  batteries 
Y23,  Y24  Two  solar  array  connectors 
Y36 ,  Y37  Two  momentum  wheels 
Y38,  Y39      Y38,  Y41      Any  pair  of  thrusters 
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Y39,  Y40      Y40,  Y41      (spin  up,  spin  down  or 
Y58,  Y59      Y58,  Y61      nutation)  disabled  by  a 
Y59,  Y60      Y60,  Y61      combination   of   the 
Y62,  Y63      Y62,  Y65      thruster   or   its   heater 
Y63,  Y64      Y64,  Y65      failing   and   a   similar 

failure   on   the   coupled 

thruster . 

Y48,  Y50      Y48,  Y51      Any  combination  of  the 
Y49,  Y50      Y49,  Y51      heaters  and  thermistors 

on  the  hydrazine  tank. 

Y68,  Y71      Y68,  Y72      Any  combination  of  an 
Y68,  Y73      Y69,  Y71      antenna,  an  antenna 
Y69,  Y72      Y69,  Y73      connector,  or  antenna 
Y70,  Y71      Y70,  Y72      deployment  with  the 
Y70,  Y73  similar  events  of  the 

other  antenna. 

Triple  Element  Cut  Sets 
All  of  these  cut   sets   are   any   combination   of  a 
bubble  memory   card,  its   heater  or  its  thermistor  with 
the  similar   events   on   any   other   two   bubble  memory 
cards . 

Y4 ,  Y5,  Y6  Y4 ,  Y5 ,  Y9  Y4 ,  Y5 ,  Y12 
Y4 ,  Y8,  Y6  Y4 ,  Y8 ,  Y9  Y4 ,  Y8 ,  Y12 
Y4 ,  Yll,  Y6     Y4 ,  Yll,  Y9     Y4 ,  Yll,  Y12 

Y7 ,  Y5,  Y6  Y7,  Y5 ,  Y9  Y7 ,  Y5 ,  Y12 
Y7,  Y8,  Y6  Y7,  Y8 ,  Y9  Y7 ,  Y8 ,  Y12 
Y7 ,  Yll,  Y6     Y7,  Yll,  Y9     Y7 ,  Yll,  Y12 

Y10,  Y5 ,  Y6  Y10,  Y5 ,  Y9  Y10,  Y5 ,  Y12 
Y10,  Y8,  Y6  Y10,  Y8 ,  Y9  Y10,  Y8 ,  Y12 
Y10,  Yll,  Y6    Y10,  Yll,  Y9    Y10,  Yll,  Y12 
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Five  Element  Cut  Sets 
Y2  ,  Y32 ,  Y33,  Y34 ,  Y35     The  sun  sensor  and  all 

four  magnetometers 

Y31,  Y32,  Y33,  Y34 ,  Y35    The  earth  sensor  and  all 

four  magnetometers 

Six  Element  Cut  Set 
Y18,  Y19,  Y20,  Y21,  Y22 ,  Y23    One  solar  array 
and  any  five  solar  strings  from  the 
remaining  18 

Eleven  Element  Cut  Set 
Y18,  Y19,  Y20,  Y21,  Y22 ,  Y25 ,  Y26 ,  Y27 ,  Y28 ,  Y29 ,  Y30 
Any  combination  of  11  solar  strings  from  the  24 

The   following   components   were  determined  to  have 
the  highest  structural  importance. 

-  Computer 

-  Shunt  regulator 

-  Solar  array  connectors 

-  Heater  control  hardware 

-  Hydrazine  tank 

-  Hydrazine  line 

-  Hydrazine  line  heater 

-  Hydrazine  line  thermistor 

-  Pressurant  tanks 

-  Pressurant  line 

-  Fill  and  drain  valves 

-  Propulsion  interface  electronics 

-  Orbit  thruster 

-  Orbit  thruster  heater 

-  Attitude  control   iterface 

-  Data  storage  controller 
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-  TT&C  combiner  splitter 

-  TT&C  transceiver  hardware 

-  TT&C  interface  hardware 
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APPENDIX  D 

LOTUS  SPREADSHEET  LISTING 

The  enclosed  listing  of  a  Lotus  1-2-3  spreadsheet 
was  converted  to  a  MathPlan  3.0  format  for  inclusion  in 
this  Appendix.  It  contains  the  elements  necessary  to  do 
a  "what-if"  analysis.  As  the  subsystems  are  designed 
and  constructed,  their  reliabilities  can  be  placed  in 
the  spreadsheet  to  observe  the  subsystem's  impact  on 
the  system's  reliability. 
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AB1  =  (1-[I6])/[I6] 

X2  =  [D29]»[D30]*[D3l] 

AC2  =  AC3*[AB1] 

AG2  =  [131] 

AI2  =  [131] 

AK2  =  [131] 

AL2  =  l-( ( 1-[AG2]  )*( 1-[AI2] )*( 1-[AK2]  ) ) 

L3  =  [138] 

03  =  [120] 
Q3  =  [120] 

R3  =  1-((1-[03])*(1-[Q3])) 

V3  =  (1-[I9])/[I9] 

X3  =  (1-X[2]  )/X[2] 

AC3  =  AC4*[AB1] 

AD3  =  AD4+(AB3*AC3 ) 

AG3  =  [131] 

AI3  =  [138] 

AK3  =  [139] 

AL3  =  l-( ( 1-[AG3]  )*( 1-[AI3]  )*( 1-[AK3]  ) ) 

L4  =  [18] 

04  =  [19] 

04  =  [19] 

R4  =  1-((1-[04])*(1-[Q4])) 

V4  =  V5*[V3] 

W4  =  W5+U4*V4 

X4  =  X[5]*X[3] 

Y4  =  Y5+[U]4*X4 

AC4  =  AC5»[AB1] 

AD4  =  AD5+(AB4»AC4  ) 

AG4  =  [131] 

AI4  =  [139] 

AK4  =  [139] 

AL4  =  l-( ( 1-[AG4]  )*( 1-[AI4]  )*( 1-[AK4]  ) ) 

L5  =  [D7] 

05  =  [116] 
Q5  =  [117] 

R5  =  1-((1-[05])»(1-[QB])) 

V5  -  V6W[V3] 

W5  =  W6+U5»*V5 

X5  -  X[6]*X[3] 

Y5  =  Y6+[U]5MX5 

AC5  =  AC6*[AB1] 

AD5  =  AD6+(AB5WAC5  ) 

AG5  =  [131] 

AI5  =  [131] 

AK5  =  [139] 

AL5  =  l-(  (1-[AG5]  )w(  1-[AI5]  )*«(1-[AK5]  )  ) 

D6  =  EXP( -[C]6»*26280  ) 

16  =  EXP(-[H]6^26280 ) 
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L6 

06 

Q6 

R6 

V6 

W6 

X6 

Y6 

AC6 

AD6 

AG6 

AI6 

AK6 

AL6 

D7 

17 

L7 

07 

Q7 

R7 

AC7 

AD7 

AG7 

AI7 

AK7 

AL7 

18 

L8 

08 

Q8 

R8 

AC8 

AD8 

AG8 

AI8 

AK8 

AL8 

D9 

19 

L9 

09 

Q9 

R9 

V9 

X9 

AC9 

AD9 

AG9 

AI9 


[132] 

[17] 

[17] 

1-((1-[06])*(1-[Q6])) 

[I9]~T6 

V6 

X[2]~2 

X6 

AC7*[AB1] 

AD7+(AB6*AC6 ) 

[131] 

[138] 

[138] 

l-( (1-[AG6]  )*(1-[AI6] )*(1-[AK6] ) ) 

EXP(-[C]7*26280) 

EXP(-[H]7*26280 ) 

[D6] 

[D9] 

[D9] 

1-((1-[07])*(1-[Q7])) 

AC8*[AB1] 

AD8+(AB7*AC7  ) 

[131] 

[131] 

[138] 

1-((1-[AG7]  )»(1-[AI7])«(1-[AK7])) 

EXP(-[H]8*26280 ) 

[D18] 

[D9] 

[D13] 

1-((1-[08])*(1-[Q8])) 

AC9*[AB1] 

AD9+(AB8*AC8) 

[139] 

[139] 

[139] 

l-( (1-[AG8] )*( 1-[AI8] )M(1-[AK8] ) ) 

EXP(-C9*26280 ) 

EXP(-[H]9*26280 ) 

[D33] 

[D31] 

[D31] 

1-((1-[09])*(1-[Q9])) 

(1-[I20])/[I20] 

(1-[I18])/[I18] 

AC10*[AB1] 

AD10+(AB9*AC9  ) 

[138] 

[138] 
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AK9 

AL9 

D10 

LIO 

010 

Q10 

RIO 

V10 

W10 

X10 

Y10 

Z10 

AC10 

AD10 

AGIO 

AI10 

AK10 

ALIO 

Dll 

Lll 

Oil 

Qll 

Rll 

Vll 

Wll 

Xll 

Yll 

Zll 

AC11 

AD11 

AG11 

AI11 

AK11 

ALU 

L12 

012 

Q12 

R12 

V12 

W12 

X12 

Y12 

Z12 

AC12 

AD12 

D13 

L13 

013 

Q13 


[138] 

l-( (1-[AG9]  )*(1-[AI9] )*(1-[AK9] ) ) 

EXP(-[C]10*26280 ) 

[D34] 

[138] 

[139] 

1-((1-[010])*(1-[Q10])) 

V11»V[9] 

W11+(V10*[U]10 ) 

X11*X[9] 

Y11+(X10*[U]10  ) 

Z11+(Y18*[U]10 ) 

AC11*[AB1] 

AD11+(AB10*AC10  ) 

[138] 

[139] 

[139] 

l-(  (1-[AG10]  )**(1-[AI10]  )M(1-[AK10]  )  ) 

EXP(-[C]11*26280 ) 

[D17] 

[D13] 

[D13] 

1-((1-[011])*(1-[QH])) 

V12*V[9] 

W12+(V11*[U]11  ) 

X12*X[9] 

Y12+(X11*[U]11 ) 

Z12+(Y19*[U]11 ) 

AC12*[AB1] 

AD12+(AB11*AC11 ) 

[138] 

[138] 

[139] 

l-( (1-[AG11]  )«(1-[AI11] )*(1-[AK11] ) ) 

[139] 

[D30] 

[D31] 

1-((1-[012])*(1-[Q12])) 

V13»V[9] 

W13+(V12*[U]12 ) 

X13*X[9] 

Y13+(X12*[U]12 ) 

Z13+(Y20*[U]12 ) 

AC13*[AB1] 

AD13+(AB12*AC12 ) 

EXP(-[C]13*26280) 

[140] 

[D29] 

[D31] 
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R13  =  l-( (1-[013]  )*(1-[Q13]  )  ) 

V13  =  V14*V[9] 

W13  =  W14+(V13*[U]13 ) 

X13  =  X14*X[9] 

Y13  =  Y14+(X13*[U]13) 

Z13  =  Z14+(Y21*[U]13) 

AC13  =  AC14*[AB1] 

AD13  =  AD14+(AB13*AC13 ) 

D14  =  EXP(-[C]14*26280 ) 

L14  =  [119] 

014  =  [D30] 
Q14  =  [D30] 

R14  =  1-((1-[014])"(1-[Q14])) 

V14  =  [I20]~4 

W14  =  V14*U14 

X14  =  [I18]~4 

Y14  =  [I18]~4 

Z14  =  [I7]~4 

AC14  =  AC15*[AB1] 

AD14  =  AD15  +  (AB14*AC14  ) 

D15  =  EXP(-[C]15*26280  ) 

L15  =  [D21] 

015  =  [D29] 
Q15  =  [D30] 

R15  =  l-( (1-[015]  )*(1-[Q15]  )  ) 

AC15  =  AC16*[AB1] 

AD15  =  AD16+(AB15*AC15 ) 

AG15  =  [116] 

AI15  =  L00KUP( ( [G18]-[ J18]+l ) , [Y10] : [T14] ) 

AL15  =  1-((1-[AG15] )*(1-[AI15] ) ) 

116  =  EXP(-[H]16*26280 ) 
L16  =  [125] 

016  =  [D29] 
Q16  =  [D29] 

R16  =  1-((1-[016] )*(1-[Q16] )) 

V16  =  (1-[X16]  )/[X16] 

X16  =  [I38]*[I39]*[I31] 

AC16  =  AC17*[AB1] 

AD16  =  AD17+(AB16*AC16 ) 

AG16  =  [117] 

AI16  -  LOOKUP( ( [G18]-[ J18]+l ) ,[Y10] : [T14] ) 

AL16  =  l-( (1-[AI16] )*(1-[AG16] ) ) 

D17  =  EXP(-[C]17*26280 ) 

117  =  EXP(-[H]17*26280 ) 
L17  =  [D19] 

V17  =  V18*V[16] 

W17  =  W18+(U17*V17  ) 

Y17  =  (1-[I7])/[I7] 

AC17  =  AC18*[AB1] 
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AD17  =  AD18+(AB17*AC17 ) 

D18  =  EXP(-[C]18*26280 ) 

118  =  EXP(-[H]18*26280 ) 
L18  =  [D23] 

V18  =  V19*V[16] 

W18  =  W19+(U18*V18) 

Y18  =  Y19*Y[17] 

AC18  =  AC19*[AB1] 

AD18  =  AD19+(AB18*AC18) 

D19  =    EXP(-[C]19*26280 ) 

119  =  EXP(-[H]19*26280 ) 
L19  =  [D32] 

V19  =  V20*V[16] 

W19  -  W20+(U19*V19 ) 

Y19  =  Y20*Y[17] 

AC19  =  AC20*[AB1] 

AD19  -  AD20+(AB19*AC19 ) 

D20  =  EXP(-[C]20*26280 ) 

120  =  EXP(-[H]20*26280 ) 
L20  =  [D20] 

V20  =  V21*V[16] 

W20  =  W21+(U20*V20 ) 

Y20  =  Y21*Y[17] 

AC20  =  AC21*[AB1] 

AD20  =  AD21+(AB20*AC20) 

AG20  =  LOOKUP( [ J6] , [AA33] : [AD51] ) 

AI20  =  L00KUP([J7] ,[T10]:[Z14] ) 

AL20  =  l-( (1-[AI20] )*(1-[AG20] ) ) 

AN20  =  [B84] 

AP20  =  MIN( [L30] : [L75] ) 

D21  =  EXP(-[C]21*26280 ) 

V21  =  V22*V[16] 

W21  =  W22+(U21*V21 ) 

Y21  =  Y22*Y[17] 

AC21  =  AC22*[AB1] 

AD21  =  AD22+(AB21*AC21 ) 

AG21  =  LOOKUP( [J6] , [AA2] : [AD26] ) 

AL21  =  [AG21] 

AN21  =  [A55] 

D22  =  EXP(-[C]22*26280 ) 

V22  =  V23*V[16] 

W22  =  W23+(U22*V22 ) 

Y22  =  [I7]~4 

AC22  =  AC23*[AB1] 

AD22  -  AD23+(AB22*AC22 ) 

AN22  =  [C55] 

AP22  =  [K30] 

D23  =  EXP(-[C]23*26280 ) 

V23  =  [X16]~6 
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V23 

AC23 

AD23 

AC24 

AD24 

125 

AC25 

AD25 

V26 

X26 

Z26 

AC26 

AD26 

V27 

X27 

Z27 

V28 

W28 

X28 

Y28 

Z28 

AA28 

D29 

V29 

W2  9 

X29 

Y29 

Z29 

AA29 

D30 

L30 

V30 

W30 

X30 

Y30 

Z30 

AA30 

131 

L31 

D32 

132 

L32 

D33 

L33 

AC33 

D34 

L34 

AC34 

AD34 


V23 

AC24*[AB1] 

AD24+(AB23*AC23 ) 

AC25*[AB1] 

AD25+(AB24*AC24 ) 

EXP(-[H]25*26280 ) 

AC26*[AB1] 

AD26+(AB25*AC25 ) 

[D9]*[D13] 

[D10]*[D14] 

D11*D15 

[I6]^24 

AB26*AC26 

(1-V26 )/V26 

(1-X26  )/X26 

(1-Z26  )/Z26 

V29*V[27] 

W29+(U28*V28) 

X29*X[27] 

Y29+(  [U28]*X28) 

Z29*Z[27] 

AA29+( [U28]*Z28) 

EXP(-[C]29*26280  ) 

V30*V[27] 

W30+(U29*V29  ) 

X30*X[27] 

Y30+( [U29]*X29 ) 

Z30*Z[27] 

AA30+( [U29]*Z29 ) 

EXP(-[C]30*26280  ) 

[18] 

V26~2 

V30 

X26~2 

X30 

Z26~2 

Z30 

EXP(-[H]31*26280 ) 

[138] 

EXP(-[C]32*26280 ) 

EXP(-[H]32»26280 ) 

[D7] 

EXP(-[C]33*26280 ) 

[132] 

AC34*[AB1] 

EXP(-[C]34*26280  ) 

[D6] 

AC35*[AB1] 

AD35+(AB34*AC34 ) 
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L35  =  [D18] 

AC35  =  AC36*[AB1] 

AD35  =  AD36  +  (AB35*AC35  ) 

L36  =  [D33] 

AC36  =  AC37*[AB1] 

AD36  =  AD37+(AB36*AC36 ) 

L37  =  [D34] 

AC37  =  AC38*[AB1] 

AD37  =  AD38+(AB37*AC37 ) 

138  =  EXP(-[H]38*26280 ) 
L38  =  [D17] 

AC38  =  AC39*[AB1] 

AD38  =  AD39+(AB38*AC38) 

139  =  EXP(-[H]39»26280 ) 

L39  =  l-( (1-EAG15]  )W(1-[AI15] ) ) 

AC39  =  AC40*[AB1] 

AD39  =  AD40+(AB39*AC39) 

140  =  EXP(-[H]40*26280 ) 
L40  =  [139] 

AC40  =  AC41*[AB1] 

AD40  =  AD41+(AB40*AC40) 

L41  =  [140] 

AC41  =  AC42*[AB1] 

AD41  =  AD42+(AB41*AC41 ) 

L42  =  [119] 

AC42  =  AC43*[AB1] 

AD42  =  AD43+(AB42*AC42 ) 

L43  =  l-( (1-[AI16]  )*(1-[AG16]  ) ) 

AC43  =  AC44*[AB1] 

AD43  =  AD44+(AB43»AC43) 

L44  -  [D21] 

AC44  =  AC45»»[AB1] 

AD44  =  AD45+(AB44*AC44 ) 

B45  =  [116] 

L45  =  l-((l-[05] )H(1-[Q5] ) ) 

AC45  -  AC46»[AB1] 

AD45  =  AD46+(AB45*AC45 ) 

B46  =  LOOKUP( [J18] , [T10] : [Y14] ) 

L46  =  [125] 

AC46  =  AC47*[AB1] 

AD46  =  AD47+(AB46»AC46 ) 

C47  =  [B45]*[B46] 

L47  =  [D19] 

AC47  =  AC48«[AB1] 

AD47  =  AD48+(AB47»AC47 ) 

B48  =  [117] 

L48  =  1-((1-[03])*(1-[Q3])) 

AC48  =  AC49*[AB1] 

AD48  =  AD49+(AB48*AC48) 


76 


B49  =  LOOKUP( [ J18] , [T10] : [Y14] ) 

L49  =  [D23] 

AC49  =  AC50*[AB1] 

AD49  =  AD50+(AB49*AC49 ) 

C50  =  [B48]*[B49] 

L50  =  [D32] 

AC50  =  AC51*[AB1] 

AD50  =  AD51+(AB50*AC50 ) 

B51  =  [116] 

L51  =  1-((1-[07])»(1-[Q7])) 

AC51  =  [I6]~18 

AD51  =  AB51*AC51 

B52  =  [117] 

L52  =  1-((1-[04])*(1-[Q4])) 

C53  =  [B51]*[B52] 

L53  =  [D20] 

L54  =  1-((1-[08])*(1-[Q8] )) 

B55  =  [I38]~12 

D55  =  [B51]*[B52] 

G55  =  [G81]*[G82] 

L55  =  [AG21] 

B56  =  [D6]*[D7] 

D56  =  [B45]*[B46] 

G56  =  [G76]*[G77] 

L56  =  l-( (l-[09]  )*(1-[Q9]  )  ) 

B57  =  [I39]~12 

D57  =  [B48]*[B49] 

L57  =  1-((1-[011])»(1-[Q11])) 

B58  =  [18] 

L58  =  l-((l-[O10])*»(l-[Q10])) 

B59  -  LOOKUP( [ElO] ,[T28] : [AA30] ) 

L59  =  l-( (1-[012]  )*(1-[Q12] ) ) 

B60  =  MAX( [C47] : [C53] ) 

L60  =  l-(  (1-[AG9]  )»(1-[AI9]  )**(1-[AK9]  )  ) 

B61  =  LOOKUP( [Ell] , [T28] : [AA30] ) 

L61  =  l-((l-[06])-(l-[Q6])) 

B62  =  [132] 

L62  =  1-((1-[014]  )*(1-[Q14] ) ) 

B63  =  [D18] 

L63  =  l-( (1-EAI20]  )*(1-[AG20]  ) ) 

B64  =  [D33] 

L64  =  1-((1-[013]  )*(1-[Q13]  )  ) 

B65  =  [D34] 

L65  =  1-((1-[AG11] )*(1-[AI11] )M(1-[AK11] )) 

B66  =  [D17] 

L66  =  l-( (1-[015]  )*(1-[Q15]  )  ) 

B67  =  MAX( [G78] , [G83] ) 

L67  =  l-( (1-CAG10]  )*(1-[AI10]  )*(1-[AK10])) 

B68  =  LOOKUP( [ J20] , [TIO] : [¥14] ) 
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L68 
B69 
L69 
B70 
L70 
B71 
L71 
B72 
L72 
B73 
L73 
B74 
L74 
B75 
L75 
B76 
G76 
B77 
G77 
B78 
G78 
B79 
B80 
B81 
G81 
G82 
G83 
B84 


1-((1- 
[D19]~ 

1-((1- 
[140] 

1-(U- 

[119] 

1-((1- 

[D21] 

1-((1- 

[125] 

1-((1- 
LOOKUP 

1-((1- 
[D32] 

1-((1- 

[D23] 

LOOKUP 

[D22]~ 

[I7]~4 

LOOKUP 

[G76]» 
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